[OTR-users] Stronger crypto?

Ian Goldberg ian at cypherpunks.ca
Sat May 10 12:51:13 EDT 2008


On Sat, May 10, 2008 at 01:59:49PM +0200, Jonathan Schleifer wrote:
> Hi!
> 
> I looked at the specification of the OTR protocol and have a few
> suggestions.
> 
> First: Why not move from AES128-CTR to AES256-CBC? It only needs a few
> cycles more, but provides stronger crypto. Shouldn't be a problem, even
> on slower machines.
> 
> Second: Why not increase the public/private key to 4096 bit? DSA2 can
> handle that. And since that key isn't generated every 5 minutes,
> performance on slow machines shouldn't be an issue here either.
> 
> I haven't read the whole specification, only had a quick look at it, so
> feel free to correct me if I've missed something.
> 
> I'd welcome it if there'd be a new OTR version providing stronger cryto.

Can you elucidate what your threat model is that you think 128-bit AES
isn't enough?  The existence of AES-256 is largely to hedge against a
future advent of a working quantum computer (which could break AES-128
in 2^64 work, but need 2^128 work to break AES-256).  But a quantum
computer would plow right through the DH key exchange used to generate
the 256-bit key, and you'd be sunk anyway.

Speaking of the DH, if we were to switch to 256-bit symmetric keys, we'd
have to switch the DH to something in the 10,000-bit range for
equivalent security.  (Otherwise, it would be way easier to break the DH
to determine the symmetric key than it would be to break the AES
directly, and you gain nothing.)  This would be way too slow, since it's
performed almost every time a message is sent.  We'd probably need
something elliptic-curve based, which opens up other cans of worms.

There's a similar issue with the authentication keys: it doesn't help to
greatly raise the security level of the signature scheme, if the thing
you're signing (a MAC in this case) is of weaker security.  All parts of
the system need to fit together.  In addition, authentication keys can
be changed easily, and with no loss of past message secrecy, if it does
turn out for some reason that people begin to be able to forge
signatures with existing DSA keys.  The OTR protocol already includes a
key type feature, anticipating this possible future need.  But in my
opinion, the need isn't there at this time.

Thanks,

   - Ian



More information about the OTR-users mailing list